Skip to content
Point and Print & Intune
Home ยป Point and Print & Intune

Point and Print & Intune

Since the Print Nightmare updates last year (2021), a lot has changed in the distribution of printers. This has to do with the fact that Microsoft has introduced additional protection mechanisms for prevention. To ensure that the distribution and installation of drivers via the print server works again, you can "quite easily" set a registry key via Intune or GPO. But ATTENTION, with this a large part of the gap is open again. But if you know how, you can deploy the "Point and Print" policies with the right settings and Intune.

More information about the exploit: CVE-2021-34527 - Security Update Guide - Microsoft - Windows Print Spooler Remote Code Execution Vulnerability

Table of Contents

Allow all - RestrictDriverInstallationToAdministrators

With disabling the installation of drivers only by administrators, the connection works again. But then again, the security gap that made Print Nightmare big is open again. That's why all the steps below are necessary (even if everything works after setting this key).

keyPathValueType
RestrictDriverInstallationToAdministratorsHKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint0DWord

To distribute this registry key, you must run a PowerShell script in Intune under "Devices > Windows > PowerShell scripts" upload. I have put the prepared script on GitHub for you:

Here is an example of the distribution:

Intune PowerShell script, RestrictDriverInstallationToAdministrators

Point and Print Restriction

To tighten up security again, we're removing users' right to perform installs for all unknown servers and non-printer drivers.

For this we create a new configuration policy (Settings catalog):
Devices> Windows> Configuration profiles

We give this a meaningful name, for example "WIN Printer Restrictions".

New Intune Settings catalog profile
Profile name and description

In the Intune policy you now add the "Point and Print Restrictions". The quickest way to find this is to use the search field.
When making your selection, make sure that the results show "Device" and not "User". Because user settings can be overwritten by any user.

Point and Print Restrictions

In the settings you now activate the "Point and Print Restrictions" and configure it according to the screenshot below.
"yourprintserver.domain.com" you replace with the FQDN of your print server(s).
For multiple servers: yourprintserver-1.domain.com;yourprintserver-2.domain.com

Point and Print settings

Device Installation Restrictions

In addition to the restrictions created above, we also define which class of drivers may be installed.
To do this, either in the same policy or in a new policy, add the subcategory "Allow installation of devices using drivers that match these device setup classes" under "Device Installation Restrictions" and activate it.

Allow installation of devices using drivers that match these device setup classes

In the "Allowed classes" you now add the printer drivers:

  • {4658ee7e-f050-11d1-b6bd-00c04fa372a7}
  • {4d36e979-e325-11ce-bfc1-08002be10318}
Allowed classes, Printers

All classes: System-Defined Device Setup Classes Available to Vendors - Windows drivers | Microsoft Learn

Finally, you assign the guideline(s) to a group and save it.

Do you want to distribute one or more shared printers with Intune?
Then I have an article for you here: Shared printers with Intune | scloud

By the way, you can also find these printer guidelines, which I have described here for Intune, in the classic GPOs.

Leave a Reply

Your email address will not be published. Required fields are marked *